"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).

There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.

For example:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

The management-access command allows users to connect to the management-access interface from the outside ONLY when the user is connected to PIX/ASA using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel.

The inside interface of the PIX cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must be configured for the desired hosts.

pix(config)#management-access inside
pix(config)#show running-config management-access
management-access inside
Note: For the ASA, ICMP types of 127 and below have hard-coded inspection that cannot be turned off. The inspect icmp command has no affect on this inspection when it is on or off.

Note: A destination unreachable message being sent one way across the ASA referencing a packet that has not already traversed the ASA will be flagged and stopped. This protective ability cannot be turned off.

PIX Software Versions 5.0.1 Through 6.3.3

Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default.

Note: Version 6.3.3 is the most recent version of code available at the time of publication. For later versions, refer to the release notes for any possible changes.

Pings Inbound

Inbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.

This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

I want to clarify my problem. Once I connect to the vpn, I get a new ethernet interface with a new private IP address. Once my tunnel is established Any data leaving my laptop traverses the tunnel and appears as if it was originating from the inside interface. I am not trying to get ping to travel from outside to inside. I am trying to connect to other machines on the inside interface once the vpn connnection is established.

Well, the VPN terminates on the outside interface of the PIX so the traffic does traverse through the firewall.
Did you try adding the sysopt command?
If that doesn't work, have a look at the logs to see what is showing up there.

pc_evansAuthor Commented: 2012-03-29

That worked. I can now ping a host on the 10.0.1.0 network. I am trying to set this up so my friend can run a client-server based application. Now that the tunnel is connected and I can ping other hosts on the inside is there any reason why other applications wouldn't connect?